Tuesday, November 29, 2005

Note that a security re-assessment done for the state of Ohio found that a tester successfully "copied the GEMS database to a USB drive and moved it to a laptop containing MS Access. Changes were made to add votes for one candidate. The databasewas copied back over to the original GEMS server. The changes were reflected in the Election Summary ...." A 2nd successful writeover was accomplished using Visual Basic instead of Access. A 3rd attempt to just run through the firewall was not successful. Ohio is trying to remedy this with a product lock on the GEMS database called "Digital Guardian" made by Verdasys. Digital Guardian added substantial protection, unless it was run in "safe mode," whereby it was circumvented through multiple conduits. On the last day of testing Verdasys gave a patch to the testers to deal with the safe mode ("Verdasys acknowledged that Compuware had identified a bug in the Digital Guardian software").

The testing company for Ohio, Compuware, assessed "there is a risk that an unauthorized person with access to the GEMS server can access the database and change ballot definition files and/or election results. [document page 17] The "risk likelihood" is "HIGH." The "impact rating" on election integrity of such a compromise is "HIGH." [ Alternate link to original PDF file, here.]

Adding a "Digital Guardian" lock to California is not a simple matter: "Implementation of this [Digital Guardian] technology is very complex and requires expertise that each individual county cannot be expected to provide."

Know anybody that's got a laptop and a USB drive? I sure do. If you're in California, you might want to say something about it, or even -if I may be so bold - join the EFF.

If you're in another state in the U.S., you might be able to find a contact here.

If you're in another country, none of our Republican elected officials will listen to you unless you have oil or nuclear weapons, so thank you for your time.